× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: ee95da1c0455b909f043c50016e1cb8dad4e5209f373f5e3a7b267287d0f61e0
File name: 905d26be4e5164abe35e79a75f64f7b4
Detection ratio: 44 / 57
Analysis date: 2016-09-02 07:16:57 UTC ( 2 years, 5 months ago )
Antivirus Result Update
Ad-Aware Trojan.Generic.7274567 20160902
AegisLab Troj.W32.Qhost.acln!c 20160902
AhnLab-V3 Trojan/Win32.Qhost.N530579219 20160902
ALYac Trojan.Generic.7274567 20160902
Arcabit Trojan.Generic.D6F0047 20160902
Avast VBS:Malware-gen 20160902
AVG Generic5_c.BEQA 20160902
Avira (no cloud) TR/Qhosts.BW 20160902
AVware Trojan.Win32.Generic!BT 20160902
Baidu Win32.Trojan.Qhost.by 20160902
BitDefender Trojan.Generic.7274567 20160902
Bkav W32.HfsAtITSTIL.3CC7 20160901
CMC PSWTool.Win32.NetPass!O 20160901
Comodo Heur.Suspicious 20160902
Cyren W32/AutoIt.AK.gen!Eldorado 20160902
Emsisoft Trojan.Generic.7274567 (B) 20160902
ESET-NOD32 Win32/Qhost.OQP 20160902
F-Prot W32/AutoIt.AK.gen!Eldorado 20160902
F-Secure Trojan.Generic.7274567 20160902
Fortinet W32/Qhost.OQP 20160902
GData Trojan.Generic.7274567 20160902
Ikarus Trojan.Win32.Qhost 20160901
Sophos ML trojandropper.autoit.pistolar.a 20160830
K7AntiVirus Trojan ( 700000111 ) 20160902
K7GW Trojan ( 700000111 ) 20160902
Kaspersky Trojan.Win32.Qhost.acln 20160902
Kingsoft Win32.Troj.Qhost.ac.(kcloud) 20160902
McAfee Artemis!905D26BE4E51 20160902
McAfee-GW-Edition BehavesLike.Win32.Yahlover.dc 20160902
Microsoft Trojan:Win32/Comisproc!gmb 20160902
eScan Trojan.Generic.7274567 20160902
NANO-Antivirus Trojan.Win32.Qhost.dziosa 20160902
Panda Generic Malware 20160901
Qihoo-360 Win32/Trojan.f9d 20160902
Rising Malware.Heuristic!ET (rdm+) 20160902
Sophos AV Mal/Generic-S 20160902
Symantec W32.Rontokbro@mm 20160902
Tencent Win32.Trojan.Qhost.Hqlh 20160902
TheHacker Trojan/Cosmu.bizd 20160902
TrendMicro TROJ_GEN.R047C0DI116 20160902
TrendMicro-HouseCall TROJ_GEN.R047C0DI116 20160902
VBA32 Trojan.Autoit.F 20160901
VIPRE Trojan.Win32.Generic!BT 20160831
Zillya Trojan.Qhost.Win32.9172 20160902
Alibaba 20160901
Antiy-AVL 20160902
CAT-QuickHeal 20160902
ClamAV 20160902
DrWeb 20160902
Jiangmin 20160902
Malwarebytes 20160902
nProtect 20160902
SUPERAntiSpyware 20160901
TotalDefense 20160902
ViRobot 20160902
Yandex 20160901
Zoner 20160902
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
File version 3, 3, 8, 1
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000B8E70
Number of sections 3
PE sections
Overlays
MD5 64cd9ce9c4a10b024a50d5c6ba4a3c24
File type data
Offset 301568
Size 4388
Entropy 7.96
PE imports
ImageList_Remove
GetSaveFileNameW
LineTo
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
WNetGetConnectionW
VariantInit
EnumProcesses
DragFinish
LoadUserProfileW
VerQueryValueW
FtpOpenFileW
timeGetTime
CoInitialize
Number of PE resources by type
RT_ICON 12
RT_STRING 7
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 25
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
483328

InitializedDataSize
32768

ImageVersion
0.0

FileVersionNumber
3.3.8.1

LanguageCode
English (British)

FileFlagsMask
0x0017

CharacterSet
Unicode

LinkerVersion
10.0

FileTypeExtension
exe

MIMEType
application/octet-stream

FileVersion
3, 3, 8, 1

TimeStamp
2012:01:29 22:32:28+01:00

FileType
Win32 EXE

PEType
PE32

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

CompiledScript
AutoIt v3 Script: 3, 3, 8, 1

MachineType
Intel 386 or later, and compatibles

CodeSize
274432

FileSubtype
0

ProductVersionNumber
3.3.8.1

EntryPoint
0xb8e70

ObjectFileType
Unknown

File identification
MD5 905d26be4e5164abe35e79a75f64f7b4
SHA1 87e32290f52d10fcde57958087afcb80309ff3b8
SHA256 ee95da1c0455b909f043c50016e1cb8dad4e5209f373f5e3a7b267287d0f61e0
ssdeep
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIE9:v6Wq4aaE6KwyF5L0Y2D1PqL69

authentihash d2058b8694a941f1df8dc9c0d8048d12054889cd18e2bafd89a2565c21f92bec
imphash 890e522b31701e079a367b89393329e6
File size 298.8 KB ( 305956 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID AutoIt3 compiled script executable (87.6%)
UPX compressed Win32 Executable (5.2%)
Win32 EXE Yoda's Crypter (4.5%)
Win32 Dynamic Link Library (generic) (1.1%)
Win32 Executable (generic) (0.7%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2012-03-07 15:56:06 UTC ( 6 years, 11 months ago )
Last submission 2013-04-21 07:58:47 UTC ( 5 years, 10 months ago )
File names 905d26be4e5164abe35e79a75f64f7b4
OITa9Hel3H.chm
vt_23555656.@
87e32290f52d10fcde57958087afcb80309ff3b8.bin
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!